15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

15-May-03D.P.Kelsey, SCG Summary2 Authentication

15-May-03D.P.Kelsey, SCG Summary3 Certificate Authorities WP6 CA group –EDG, CrossGrid, LCG 5 new CA’s (in 2003) 3 updated CA’s (Ireland, UK, US DOE) 18 on the trusted list (today) Canada, CERN, Cyprus, Czech Republic, France, Germany, Greece, Ireland, Italy, Netherlands, Nordic, Poland, Portugal, Russia, Slovakia, Spain, UK, USA “Catch-all” operated by CNRS/France Under development/consideration Belgium, FNAL (KCA), Hungary, Israel, Japan, Taiwan, (Austria?) FNAL and Taiwan the furthest down the road Next CA meeting: 12/13 June 2003

15-May-03D.P.Kelsey, SCG Summary4 Online AuthN/AuthZ FNAL running a Kerberos CA (KCA) –CERN also interested –User authenticates via Kerberos mechanisms –KCA issues short-lived certificate for Grid Key Management Concerns –User-held private keys – security concerns Need also to consider MyProxy, VSC, VOMS, … –And indeed User-generated Proxy certs “long-lived” CA’s different from online (short-lived) services –“Online” run by the project LCG-1 working towards interim trust of KCA –And FNAL trust of EDG CA’s

15-May-03D.P.Kelsey, SCG Summary5 Design (see D7.6)

Overview of the New Security Model - n° 6 Overview MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request focus is on VOMS details are in D7.6 Security Design

Overview of the New Security Model - n° 7 VOMS

Overview of the New Security Model - n° 8 User’s Authorization in EDG 1.4.x VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

Overview of the New Security Model - n° 9 User’s Authorization in EDG 2.x VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration LCAS edg-java-security

Overview of the New Security Model - n° 10 Migration to VOMS VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 0. VOMS userservice proxy (voms) grid-mapfile phase 2. VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 1. VOMS userservice phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS-aware services VO-LDAP grid-proxy-init edg-mkgridmap voms-proxy-init edg-mkgridmap voms-proxy-init

15-May-03D.P.Kelsey, SCG Summary11 Applications

15-May-03D.P.Kelsey, SCG Summary12 WP8 Security Joint session this week Need VOMS and file ACL’s –Working on detailed Use cases for Groups/Roles “Production” can write files “User” can read files Discussed plans for LCG-1 User Registration –Checks on User before registration in VO

15-May-03D.P.Kelsey, SCG Summary13 WP9 Security Joint session this week Need VOMS –Groups = experiments (like sub-VO’s) –And Roles Need file ACL’s to control who can write/read

15-May-03D.P.Kelsey, SCG Summary14 WP10 Security See use cases in D7.6 Joint session this week The most requirements for security Medical images –Different access for patient, doctor, researcher –Require encryption –No unpriv. access to contents of ACL’s Needs WP2 fine-grained AuthZ to RC –Not on the current plan?

15-May-03D.P.Kelsey, SCG Summary15 Security Plans for TB 3

15-May-03D.P.Kelsey, SCG Summary16 Plans for TB 3 Reminder –Both EU Reviews encouraged more on Security Particularly for Bio-medical Release 2.0 –Improved security But need C/C++ security API (WP2, WP3,…) –Limited AuthZ LCAS in 2.0 Grid mapfile General statement –No major EDG functionality change between 2.0 and TB3 –BUT… we need security –Will the WP’s succeed? Risks: could break everything!!

15-May-03D.P.Kelsey, SCG Summary17 VOMS Ready, being tested (INFN, NIKHEF, CERN…) Dropped off end of list for 2.0 release High priority item! –integration immediately after 2.0

15-May-03D.P.Kelsey, SCG Summary18 Middleware plans (TB3) WP1 –AuthZ support for scheduling and admin access? WP2 –Delegation through G-HTTPS –VOMS integration –Authorization manager and admin interface WP3 –Authentication (not in 2.0 – need C/C++ API) –Planning for AuthZ (need delegation)? WP4 –LCMAPS, new LCAS, VOMS plug-in WP5 –File-level Access Control (VOMS, GACL) –Needs delegation (SRMcopy), how to define ACL?

15-May-03D.P.Kelsey, SCG Summary19 Summary We must aim to release the security components –VOMS, LCAS/LCMAPS, Java Security, … –WP8/9/10 have clear requirements Need to decide – can we do the WP10 confidentiality? –Groups/roles in VOMS and file ACL’s The highest priority WP2/WP5 and WP4 critical here Need more work on the ACL model –WP1 and WP3 security (lower priority?) Will need careful coordination over coming months Stability, Stability, Stability,… Yes, but… Security, Security, Security,…